CVE-2024-13771
📋 TL;DR
This vulnerability allows unauthenticated attackers to reset passwords for any user account in the Civi WordPress theme, including administrators, by exploiting insufficient user validation. All WordPress sites using the Civi theme version 2.1.4 or earlier are affected. Attackers only need to know the target username to take over accounts.
💻 Affected Systems
- Civi - Job Board & Freelance Marketplace WordPress Theme
📦 What is this software?
Civi by Uxper
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers reset administrator passwords, gain full control of the WordPress installation, and can install backdoors, steal data, or deface the site.
Likely Case
Account takeover of high-privilege users leading to data theft, content manipulation, or installation of malicious plugins/themes.
If Mitigated
Limited impact if strong network controls prevent external access or if immediate detection triggers response before damage occurs.
🎯 Exploit Status
Exploitation requires only knowledge of target usernames and sending crafted HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.1.4
Vendor Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab2c74d-b83b-40ea-951c-83aeb76a7515?source=cve
Restart Required: No
Instructions:
1. Update the Civi theme to the latest version via WordPress admin panel. 2. Verify update completed successfully. 3. Test password reset functionality.
🔧 Temporary Workarounds
Disable vulnerable theme
allTemporarily switch to a different WordPress theme until patched
Block vulnerable endpoint
linuxUse web server rules to block access to the vulnerable PHP file
# For Apache: add to .htaccess
<Files "class-ajax.php">
Order Allow,Deny
Deny from all
</Files>
# For Nginx: add to server block
location ~* /includes/class-ajax\.php$ {
deny all;
}
🧯 If You Can't Patch
- Immediately disable the Civi theme and switch to a secure alternative theme
- Implement web application firewall rules to block requests to /includes/class-ajax.php
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes for Civi theme version 2.1.4 or earlierCheck Version:
wp theme list --field=name,version --format=csv | grep -i civiVerify Fix Applied:
Confirm Civi theme version is higher than 2.1.4 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-content/themes/civi/includes/class-ajax.php
- Multiple failed login attempts followed by successful password reset for same user
- Password reset emails sent to unexpected addresses
Network Indicators:
- HTTP POST requests to class-ajax.php with password reset parameters from unauthenticated sources
SIEM Query:
source="web_logs" AND uri="/wp-content/themes/civi/includes/class-ajax.php" AND method="POST" AND (user_agent NOT CONTAINS "WordPress" OR src_ip NOT IN allowed_ips)